Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Winevar.A@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity HIGH HIGH
Payload File deletion
Detection files published 24 Nov 2002 03:00:00
Description created 25 Nov 2002 04:03:00
Description updated 25 Nov 2002 09:50:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Winevar.A@mm

Spreading

When the worm is first run, it will first kill open processes that contain any of the strings below:


"view", "debu", "scan", "mon", "vir", "iom", "ice", "anti", "fir", "prot", "secu", "dbg", "avk", "pcc", "spy"

and at the same time does not contain any of the strings
"microsoft", "ms", "_np", "r n", "cicer",
"irmon", "smtpsvc", "moniker", "office", "program" or "explorewclass".


It proceeds to copy itself to the Windows system directory under the name WIN????.PIF, the questionmarks denote random letters, and executes itself there. It checks the time this process takes; if too long it will trigger a destructive payload.

If not, it creates a mutex "~~Drone of StarCraft~~"

It now checks whether it has access to the Internet by attempting to connect to www.symantec.com, and download the main page to a file with a semi-random name. If this is unsuccessful, it will install a lightly patched version of the Funlove virus on the hard disk and execute it. The dropper file name will be WIN????.TMP.

The worm searches through files on local hard disk for email addresses to send itself to.


Payload Details

The worm has two different payloads - one directed at deleting some antivirus products. The other one is time-triggered and will attempt to delete all files in all directories where the worm was executed from. This happens only when the process of copying itself to the Windows system directory and starting itself there takes more than 512 milliseconds.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:14